github OpenVPN/openvpn v2.7.5

4 hours ago

Security fixes:

  • openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect.
    specific combinations of --dns config entries plus local DNS config
    could lead to corruption of pre-openvpn DNS config (CVE-2026-13379)

    Bug found by 章鱼哥 (www.aipyaipy.com).

  • Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed
    sequence of control channel + authentication packets (CVE-2026-12996)

    Bug found by multiple researchers:

  • Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable
    sequence of dynamic tls-crypt control-channel packets (CVE-2026-13117)

    Bug found by multiple researchers:

    • Trace37 Labs (github.com/trace37labs)
    • Haiyang Huang
  • Fix server crash on reception of suitably malformed auth-token, if
    --auth-gen-token external-auth is active (CVE-2026-13122)

    Bug found by Haiyang Huang.

  • Fix memory-leak in tls-crypt-v2 client key handling that could lead
    to out-of-memory situations and subsequent server crashes (CVE-2026-12932)

    Bug found by Valton Tahiri.

  • Fix possible 1-byte buffer overrun on NTLMv2 proxy responses.
    (CVE-2026-11771)

    Bug found by Tristan Madani (@TristanInSec).

  • Fix another memory leak on reception of suitable tls-crypt-v2 packets
    that could lead to an out of memory situation and server crash
    (CVE-2026-13698)

    Bug found by Max Fillinger. Overlaps with a report
    from Valton Tahiri that we believe to
    be fixed by this bugfix as well.

Bugfixes:

  • Windows: fix plugin trusted-dir check prefix bypass
    (this fixes a bug in the path checking logic we do on Windows for
    "is loading a plugin from this path allowed?", but since we could
    not find a way to exploit this unless starting with admin privs or
    a social engineering attack, not classified as a security fix)

  • Windows: openvpnserv: rework ConvertItfDnsDomains and tests
    (this fixes a buffer overread that is not exploitable and as such
    not classified as security fix)

  • options: fix use-after-free of DNS options on client connect
    (using suitable --dns or --dhcp-option DNS options in a server
    config - not pushed, but applying to the server itself - triggers a
    double free() and use-after-free condition, possibly crashing the
    server) (Github: OpenVPN/openvpn#1060)

  • dns: Fix memory leak in dns_server_addr_parse, if too many server
    addresses are configured (Github: OpenVPN/openvpn#1055)

  • improve multi-socket event handling further - multiple open UDP sockets
    with concurrent traffic could lead to inefficient processing, and the
    old code was also very hard to follow.

    (This was initially triggered by a report from Joshua Rogers using ZeroPath,
    but turned out to be "just bad code" not a security vulnerability)

  • Null-terminate tls-crypt client keys when testing - non-exploitable
    strlen() on a buffer that is not null-terminated

  • mudp: send HMAC reset reply synchronously
    this fixes a bug where multiple incoming tls-crypt-v2 RESET packets
    on different sockets could end up overwriting each other's control
    structures, leading to initial handshake packets (HMAC reset reply)
    being sent to the wrong client IP, or on a non-suitable socket
    ("v4 packet on a v6 socket"). Since the overall flow here is stateless
    by nature, do not artificially create state by creating elaborate
    queues, just send-or-drop.

  • fix port-share and multi-socket interaction - port-share needs TCP
    listeners, but the check was wrong. So "as long as any of the listening
    sockets is TCP, port-share can be used" (Github: OpenVPN/openvpn#1027)

  • Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug
    where a server can push a suitable combination of options and make the
    client ASSERT().

    (Reported as security issue by Haiyang Huang,
    but it was decided that the server always has means to make the client
    "not function properly", and it can not be exploited beyond that)

  • Windows: socket: assert buffer length before reading prepended sockaddr
    family - a misbehaviour in the windows DCO driver could trigger an
    overread in the userland client. No such bug exists, which this was
    not treated as a security vulnerability

Documentation improvements:

For details see Changes.rst

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.7.4...v2.7.5

Don't miss a new openvpn release

NewReleases is sending notifications on new releases.